A while ago my colleague blogged about the importance of secret questions in keeping your online accounts safe. We came to the conclusion that security questions, in many implementations, can actually decrease your overall level of security. Security questions are a secondary means of authentication used when the primary method fails. So when you forget your webmail password, you’ll be asked a pre-arranged secret question that you must answer to reset your password and regain access to your account. During the presidential election last year, VP candidate Sarah Palin’s Yahoo email was hacked, because of weak secret questions and a little googling. A paper was published recently with some hard data, it can be downloaded here, and makes for an interesting read.

From the abstract:

All four of the most popular webmail providers — AOL, Google, Microsoft, and Yahoo! — rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintance with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers. Participants forgot 20% of their own answers within six months. What’s more, 13% of answers could be guessed within five attempts by guessing the most popular answers of other participants, though this weakness is partially attributable to the geographic homogeneity of our participant pool.

The testing methodology seems sound and the paper contains a lot of interesting statistics on the most commonly used secret questions and how and by whom they can be compromised. For example, if a site allows the user to submit their own question/answer pair, the paper conlcuded that 24% of these are vulnerable to guessing with no other knowledge except geographic location, another 23% are vulnerable to guessing by coworkers, clients or family members. Another paper on this topic is available here. It focuses on financial instutions and the impact of the social networking phenomenom. They concluded that 33% of banking institutions’ security questions were “guessable” and that 12% of their question sample was “automatically attackable” via data commonly contained on facebook/myspace/etc. profiles.

Related Blogs

• Related Blogs on passwords
• Creating Secure Passwords You Can Pronounce « Begin Linux Blog
• Free Presale Passwords – Friday, May 29 |

• Related Blogs on Security
• Security and Hacking: Reporting Cyber Crime | The Blog Herald

This entry was posted on Tuesday, May 26th, 2009 at 4:50 pm and is filed under Privacy, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.